The pandemic-era explosions of remote working, digital transformation and ransomware are stressing security executives so intensely that nearly half considered leaving the industry last year, according to a new survey that bodes poorly for closing the cyber skills gap.
Fully 45 per cent of the 1,000 C-suite and senior cyber security professionals – surveyed for Deep Instinct’s Voice of SecOps 2022 report – said they had considered leaving their jobs due to the stress of trying to secure ever-changing operating environments.
One-third of executives experienced a “high degree of stress” and 43 per cent said their stress levels were “moderate”, with 46 per cent saying their stress levels had increased over the past 12 months.
While executives are overwhelmed by the immensity of pandemic-era security challenges, security operations (SecOps) staff were most stressed by operational issues.
Most difficult was the expectation that they stop every threat even though this is impossible – cited by 47 per cent of respondents – followed by expectations that they’re always on call (43 per cent), and the challenge of having too few SecOps staff (40 percent).
“We are too reliant on the hero mentality,” said one police-force CISO participating in the survey, who admitted that some security staff “are working 16 to 18 hours days at times.”
“That’s not sustainable,” the CISO said, “and we certainly shouldn’t be expecting people to put in those kinds of shifts as a part of our capability. They’ll burn out.”
With 46 per cent saying they know at least one person who has already quit due to stress, burnout is compromising the continuity of companies that rely on having enough cyber security expertise to protect their data and operational integrity.
Fully 26 per cent of SecOps respondents said it has become so hard to keep up with ever more ingenious cybercriminals that they have simply turned off security alerts.
“Certain cyber security teams see themselves in an unenviable position of being expected to stop every threat yet knowing this is an impossible expectation,” Deep Instinct content director Brendan Mangus noted.
“Meanwhile, the C-Suite are focused on prioritising security with a hybrid and remote workforce and ensuring continuity and threat mitigation in their ongoing digital transformation.”
Money can’t buy me peace of mind
The findings reflect the sense of unease that has pervaded the business community as ever more-aggressive organised cybercriminals ramp up unrelenting campaigns to disrupt businesses, steal data, and extract ever-larger ransoms from victims.
Many CISOs are so desperate to recover after a breach, Deep Instinct found, that 38 per cent have previously paid a ransom, primarily to minimise downtime or avoid bad publicity.
Paying up was no guarantee of success, however, with 46 per cent of respondents saying that their attackers exposed their data even after being paid and 44 per cent were unable to restore all of their data.
Just 27 per cent of respondents said they would pay a ransom again in the future – reinforcing arguments that not only is it useless to pay ransoms, but that ransomware gangs often return to lock earlier victims’ systems demanding more money than the first time.
Little wonder that cyber security professionals are continuing to check out – a finding that has been reported throughout the pandemic as cyber security professionals fought to avoid “extreme stress or burnout” while securing cloud and other rapidly-deployed business technologies.
Throw in the increasingly stressful circumstances around remote working – whose steady dilution at many bosses’ hands is compounding employee stress and anxiety – and the ever-present risk of being shown the door even after fighting tooth and nail to prevent a breach, and it’s clear cyber security workers are still a long way from workplace nirvana.
“The pressure of failure is significant [and] stressful for a lot of people,” said one local-government CIO who participated in the Deep Instinct survey, noting that “it’s always easy to blame the security team for a hole in the security posture that has actually been exposed by a human in an entirely different department…. SecOps staff get it in the neck when they are working stupid hours to try and keep the ship watertight.”
The sheer breadth of different attack methods is making the situation even worse.
Although supply chain attacks (14 per cent) and ransomware (13 per cent) were the most commonly cited concerns, other complex attack vectors – such as machine learning-based attacks, nation-state cybercriminals, phishing, insider threats and zero-day attacks – weren’t far behind.
“The results show there is not one clear winner, which reinforces why stress levels are so high,” the report notes. “Without a singular focus on one type of attack, resources are stretched thin and it’s obvious to see how a SecOps team may feel deflated against the challenges they face.”
“The pandemic ushered in a new era of work and even after two years, the strategies for securing remote and hybrid organisations are still evolving.”